五月DeFi不平靜！Verus跨鏈橋遭駭11.58M鎂，本月攻擊事件增至13起

The privacy-focused and decentralized blockchain network Verus is currently experiencing a hacker attack on its Ethereum cross-chain bridge, with losses totaling approximately $11.58 million. Before the incident, 12 DeFi projects had already been attacked in May.

Verus cross-chain bridge reports hacking, losses exceed $11.58 million
----------------------

Verus, a privacy-focused and decentralized blockchain network, is currently under attack on its Ethereum cross-chain bridge, with an estimated loss of about $11.58 million. The official has not yet responded publicly or to the media.

According to investigations by cybersecurity firms PeckShield and Blockaid, on-chain data shows that the attacker drained 103.6 tBTC, 1,625 ETH, and 147,000 USDC from the cross-chain bridge, and exchanged all these stolen assets for 5,402 ETH.



Image source: Blockaid

Security firm GoPlus further analyzed and suspects that the attacker sent low-value transactions to the cross-chain contract and called specific functions to transfer reserve assets in bulk to the hacker’s wallet. This incident is highly likely caused by forged cross-chain message verification, bypassed withdrawal logic, or access control vulnerabilities.

SlowMist founder Yu Ceng also pointed out that the reason for the theft may be that the attacker constructed a fake Merkle proof that passed verification on Verus’s Ethereum bridge (not open source), allowing them to successfully withdraw funds (ETH/tBTC/USDC). Further verification is needed for the specific details.



Image source: Yu Ceng

Additionally, about 14 hours before the attack, the attacker’s address transferred 1 ETH through the mixer Tornado Cash as initial funding. As of now, the Verus team has not issued any public response regarding this incident.

Verus incident occurs three days after THORChain breach
-------------------------

The timing of the Verus cross-chain bridge attack coincides with a breach of another well-known cross-chain liquidity protocol, THORChain, which happened three days earlier.

According to Crypto City, THORChain confirmed on May 15 that it was hacked, with losses around $10.8 million. After discovering suspicious transactions, the team immediately suspended trading and some cross-chain functions, and launched an investigation with security experts.

Preliminary investigations suggest that the hacker exploited vulnerabilities in the GG20 TSS multi-signature mechanism and malicious node collaboration, but user wallets were not compromised. The losses mainly concentrated in the protocol’s liquidity and internal asset pools.

DeFi hackers shift focus to infrastructure layer, increasing concealment and destructive power
-------------------------

This year has been turbulent for DeFi. According to DeFiLlama data, before the Verus incident in May 2026, 12 DeFi protocols had already been attacked, with total losses exceeding $20 million in that month alone. Including Verus, that’s 13 protocols with losses reaching tens of millions of dollars.

Recent hacking incidents show that attackers are shifting from simply exploiting smart contract vulnerabilities to attacking more fundamental infrastructure layers.

Risks in cross-chain protocols are much higher than single-chain DeFi, because their architecture involves cross-chain information synchronization, verification nodes, asset routing, and multi-signature processes.

Current infrastructure layer attacks include remote procedure calls (RPC), validation networks, oracles, and cross-chain information systems. These types of attacks are often harder to detect, and once successful, can directly impact and transfer large amounts of funds.

For example, the KelpDAO breach in early 2026 saw losses of up to $292 million in a short period. LayerZero, a cross-chain protocol, later reported that the core issue was KelpDAO’s use of a single validator model in its cross-chain setup.



Image source: KelpDAO

In the early 2026 KelpDAO breach, the attacker polluted RPCs, altering on-chain state information of some nodes, causing validators to misjudge the authenticity of the data, ultimately forging cross-chain info and bypassing security checks. LayerZero’s co-founder publicly admitted that the protocol’s design had flaws and expressed willingness to take responsibility.

* Detailed report: LayerZero admits design flaw: analyzing the security blind spots behind the $290 million KelpDAO hack

Crisis turns into opportunity, DeFi enters a period of reassessment
-----------------

2026 has undoubtedly been a turbulent year for DeFi, but frequent security incidents also serve as catalysts for industry reflection and growth.

Many so-called decentralized cross-chain systems still heavily rely on a few validation nodes or relay infrastructure during operation. As long as a single validator is compromised, attackers can forge cross-chain info and create or transfer assets out of thin air.

As on-chain funds grow, hackers are investing more resources into researching weaknesses in cross-chain architectures, increasing the difficulty and potential scale of infrastructure layer attacks.

The future development of DeFi is expected to shift from rapid innovation to a more secure, stable model. This includes modular architectures, permission isolation, real-time risk monitoring, and multi-layer verification systems, which will become key focuses of next-generation infrastructure. As cross-chain protocols gradually become vital to decentralized finance, market demands for stability and security will become more stringent.

At the same time, the fact that major protocols are willing to openly admit design flaws indicates that the Web3 industry is developing a more mature culture of accountability. After the KelpDAO incident, the industry quickly raised $300 million to rescue bad debts, demonstrating the resilience of the Ethereum ecosystem.

Further reading:
DeFi is too slow for the young, too risky for the old: Are we all just earning interest on government bonds and bearing junk debt risks?

Rescuing DeFi bad debts! Giants like Aave quickly raise $300 million, showcasing Ethereum’s collaborative strength